Possible Information Leak, Considered Unlikely

Possible Display Information Leak

On August 7th, Christian Reitter is announcing a possible side-channel
data leak as a vulnerability across all hardware wallets which use
OLED displays. At Coinkite, we’ve already mitigated it, even though
we feel strongly that it is not a legitimate issue. In our opinion,
it is both unproven (might not even work) and also completely
impractical—even if it could be made to work perfectly.

Background

We received an email earlier this year describing a possible issue
and telling us to keep it secret for months. The idea was that the
graphical display commonly used on hardware wallets, including the
Coinkite Coldcard, was leaking information over the USB power lines
about what it’s showing on the screen. Naturally enough, bright “ON”
pixels take more energy than “OFF” pixels.

Your attacker would have to install monitoring hardware into the
USB power source you use to power the Coldcard during the initial
seed setup. We don’t know how bulky that would be, but if you use
a trusted USB battery pack or AC adapter, you would be fine. If
you’re like me, your home or office has hundreds of AC adapters and
thousands of USB cables to choose from… Each of these would need
the mythical “hardware implant” installed beforehand to get a
chance to capture your seed the one time it is shown on screen.

We challenged Christian for more specific details and a proof of
concept. He never really provided anything solid, just a few scope
captures of varying noise and no solid evidence that it directly
represented the screen contents. Normally, we’d expect to see a
proof of concept demo, where he reconstructs the screen contents.
That would make for a good presentation!

(Aside: We don’t appreciate how he’s doxed our company emails to
others in the industry when he carelessly sends out bulk emails.)

The Risks

But what do we show on screen that’s a secret? Not much.

When you first setup a Coldcard, the seed words are shown on screen
so you can write them down as a backup. That’s the only time this
private key material is shown to the user.

Each digit of the PIN is shown briefly as you enter the PIN so
that’s a hazard as well, but since there is no real-world implementation
of this information leak, we don’t know if that’s long enough
on screen to get a “good read” of the PIN digits.

The Solution

Coldcard firmware version 2.1.2, available for download
already, has mitigations for
both those areas: when entering the PIN, your digits are no longer
echoed. Instead an X is shown, except if using a Mk1 device with
it’s fine touch interface—you need the echo as a feedback.

For the few moments of the Coldcard’s lifecycle where the seed words are
shown on screen, we’ve added masking noise along the right hand
side of the screen. Since we don’t have a working proof-of-concept,
it’s not possible to conclusively prove that this plugs the leak,
but we feel the large amount of random noise on each line will be
enough to swamp out any valid data that might be leaked on this
side channel.

In future hardware, we intend to improve USB power supply filtering
so that very little noise (or is it signal?) comes out of the
Coldcard. That’s a broader mitigation and would help if some other,
as yet unknown, information leak exists.

Credits

We’d like to thank Christian for being responsible in his disclosure
of this issue, and it’s good we have researchers looking at these
things. We hope that disclosure of unproven/minor issues doesn’t
lead to fatigue or complacency in the community.

Christian applied for, and received CVE-2019-14356 as a code number
for the Coldcard version of this issue. We are not involved in
that process with MITRE.